Governance with FOSSology and FOSSBazaar: Rights and Licensing
At CeBIT Open Source 2009 Martin Michlmayr, past Debian project lead, presented his current projects FOSSology and FOSSBazaar, and spoke about the role his employer Hewlett-Packard is giving him in the governance project and how the FOSSBazaar work group is organized within the Linux Foundation.
Britta Wülfing of Linux Magazine Online interviewed Michlmayr after his talk to find out more about his work at the Open Source Initiative (OSI) and the European Union Public License (EUPL). Here are the results of that conversation.
LMO: To whom is FOSSBazaar targeted?
Michlmayr: FOSSBazaar is clearly enterprise-oriented, not necessarily directed at technologists, but more to managers, lawmakers, procurement officers. With this project we want to cover thematically the entire bandwidth of Linux and Open Source.
LMO: What interest does HP have in it?
Michlmayr: HP has to do this work anyway with all its products and programs. It has to be clear for each software what licenses and rights are attached to it, how they are to be maintained and supported. We have to do it, everyone has to do it. Why not together then?
LMO: There are already several projects concerned with this topic, for example the Freedom Task Force of the Free Software Foundation or Harald Welte with gpl-violoations.org . Are there differences or do you work together?
Michlmayr: Yes, we're working together on certain levels. We have intensive discussions on mailing lists, and we're providing seminars together with the French INRIA [National Institute for Research in Computer Science and Control] research institute.
LMO: How is the project adopted by enterprises?
Michlmayr: We're working with a platform that everyone can access. Truthfully many enterprises apparently have a problem in openly talking or writing about licensing and rights. That requires some convincing on our part.
LMO: The term "governance" might be considered a body of rules and standards, which seems somewhat unwieldy. Isn't it a bit daunting for smaller and middle sized enterprises?
Michlmayr: That's a hard one. We don't want to instill any FUD on anyone, but simply clarify. Of course some examples present some problems, such as when a single software includes dozens of Open Source licenses. We'd rather like to collect examples of how many projects actually include only one license.
LMO: The plethora of licenses is always a hot topic in the OSI, where you're also active. There's been a suggestion to limit things to three licenses. What's your take on this?
Michlmayr: Whether to limit things realistically to three licenses is a good question. But I feel that everyone involved in this is agreed certainly on limiting them. That's why careful thought is given to new licenses and if they should be distributed. There are obviously vanity factors involved when a license happens to bear the name of its issuer. But one new license is bound to be of true value in the near future: the EUPL [European Union Public License]. For the first time we'd have a license available in all European languages and valid everywhere, that is, all translations have been legally scrutinized. Also of practical value is that EUPL code can be converted to GPL code.
LMO: When can we expect to see OSI approval of the EUPL?
Michlmayr: We can't give an exact date, but it's bound to happen soon.
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.